Some questions with reversing asm via ida

[carpoa 3.6k iPhone SE (2020) 16]

Got a few questions, Still new to decompiling stuff and reversing so yeah.

I will list them below.

 

1.

When I am reversing a function and it calls the CityBalance$$GetUpgradePrice then (I am guessing) it stores the returned value in D8 from D0 right? 

 

2.

When decompiling functions I sometimes see var_whateverhere = 0xwhateverHere but it isnt a field offset of anykind, what do they do and how can I understand them? (I included some of the start asm of that function to help you understand if needed)

 

3.

When wanting to hook onto functions, to modify the field offset (in this case we will use 0x10 = int Coins) would I do something like FunctionOffset + 0x10 to get the fieldoffest variable to then read/write toward that pointed to object?

 

Like I said I am still new to decompiling stuff and reversing, please excuse me if this is easy for you. 

[Theo1357 26.1k iPhone 6s 14.4]

1. Yes
2. I gusse it is offset in stack, skip it
3. No, you must use pointer class + 0x10

void (*old_PersistentPlayerUpdate)(void* _this) = nil;
void PersistentPlayerUpdate(void* _this) {
   old_PersistentPlayerUpdate(_this);
   if ([menu isSwitchWithIdentifierActive:@"currency"]) {
     void *playerData = *(void **)((uint64_t)_this + 0x18);
     void *Container = *(void **)((uint64_t)playerData + 0x30);
     void *Player = *(void **)((uint64_t)Container + 0x10);
     void *player = *(void **)((uint64_t)Player + 0x10);
    *(int *)((uint64_t)player + 0x134) = 999999999;
    *(int *)((uint64_t)player + 0x138) = 999999999;
    *(int *)((uint64_t)player + 0x13C) = 999999999;
    *(int *)((uint64_t)player + 0x140) = 999999999;
  }
}

MSHookFunction((void *)getRealOffset(APEncryptHex(0x013BE034)), (void *)PersistentPlayerUpdate, (void **)&old_PersistentPlayerUpdate);

[carpoa 3.6k iPhone SE (2020) 16]

4 minutes ago, tien0246 said:

1. Yes
2. I gusse it is offset in stack, skip it
3. No, you must use pointer class + 0x10

void (*old_PersistentPlayerUpdate)(void* _this) = nil;
void PersistentPlayerUpdate(void* _this) {
   old_PersistentPlayerUpdate(_this);
   if ([menu isSwitchWithIdentifierActive:@"currency"]) {
     void *playerData = *(void **)((uint64_t)_this + 0x18);
     void *Container = *(void **)((uint64_t)playerData + 0x30);
     void *Player = *(void **)((uint64_t)Container + 0x10);
     void *player = *(void **)((uint64_t)Player + 0x10);
    *(int *)((uint64_t)player + 0x134) = 999999999;
    *(int *)((uint64_t)player + 0x138) = 999999999;
    *(int *)((uint64_t)player + 0x13C) = 999999999;
    *(int *)((uint64_t)player + 0x140) = 999999999;
  }
}

MSHookFunction((void *)getRealOffset(APEncryptHex(0x013BE034)), (void *)PersistentPlayerUpdate, (void **)&old_PersistentPlayerUpdate);

Thank you and thank you alot more for providing a code sample. 

[carpoa 3.6k iPhone SE (2020) 16]

On 6/2/2024 at 9:55 AM, tien0246 said:

3. No, you must use pointer class + 0x10

Just to be 100% sure:

The offset of the class would be the pointer class in this case correct?

So 0x32B87DC + 0x14 (example)

[Theo1357 26.1k iPhone 6s 14.4]

38 minutes ago, carpoa said:

Just to be 100% sure:

The offset of the class would be the pointer class in this case correct?

So 0x32B87DC + 0x14 (example)

Nope, pointer not offset.

If you wanna hack field in ida, try find somewhere like

str w9, [x19, #0x10]
register w9 hold your coin, find at the top somewhere write the value in w9

[carpoa 3.6k iPhone SE (2020) 16]

1 minute ago, tien0246 said:

Nope, pointer not offset.

If you wanna hack field in ida, try find somewhere like

str w9, [x19, #0x10]
register w9 hold your coin, find at the top somewhere write the value in w9

ic mk. Could you just explain using pointers and getting them please? Thanks for your help 

[Theo1357 26.1k iPhone 6s 14.4]

31 minutes ago, carpoa said:

ic mk. Could you just explain using pointers and getting them please? Thanks for your help 

 

On 6/2/2024 at 3:55 PM, tien0246 said:

1. Yes
2. I gusse it is offset in stack, skip it
3. No, you must use pointer class + 0x10

void (*old_PersistentPlayerUpdate)(void* _this) = nil;
void PersistentPlayerUpdate(void* _this) {
   old_PersistentPlayerUpdate(_this);
   if ([menu isSwitchWithIdentifierActive:@"currency"]) {
     void *playerData = *(void **)((uint64_t)_this + 0x18);
     void *Container = *(void **)((uint64_t)playerData + 0x30);
     void *Player = *(void **)((uint64_t)Container + 0x10);
     void *player = *(void **)((uint64_t)Player + 0x10);
    *(int *)((uint64_t)player + 0x134) = 999999999;
    *(int *)((uint64_t)player + 0x138) = 999999999;
    *(int *)((uint64_t)player + 0x13C) = 999999999;
    *(int *)((uint64_t)player + 0x140) = 999999999;
  }
}

MSHookFunction((void *)getRealOffset(APEncryptHex(0x013BE034)), (void *)PersistentPlayerUpdate, (void **)&old_PersistentPlayerUpdate);

Using hook like it

[carpoa 3.6k iPhone SE (2020) 16]

3 minutes ago, tien0246 said:

 

Using hook like it

ohh ok gotcha.

Reading the code I'm assuming _this is the pointer (I guess you could say that) for the class it is within right? I just want to be sure.

[Theo1357 26.1k iPhone 6s 14.4]

9 minutes ago, carpoa said:

ohh ok gotcha.

Reading the code I'm assuming _this is the pointer (I guess you could say that) for the class it is within right? I just want to be sure.

_this is poiter class

[carpoa 3.6k iPhone SE (2020) 16]

1 minute ago, tien0246 said:

_this is poiter class

gotcha right that makes sense thank you.